VDB
DEBIAN-CVE-2026-0994
DEBIAN-CVE-2026-0994
PUBLISHED
CVSS 7.5 HIGH
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | protobuf | 3.21.12-3, 3.21.12-4, 3.21.12-5 |
| Debian:13 | protobuf | 4.0.0, 3.21.12-12, 3.21.12-13 |
| Debian:12 | protobuf | 0, 3.21.12-11, 3.21.12-12 |
| Debian:14 | protobuf | 0, 3.21.12-11, 3.21.12-13 |
Exploit Intelligence
- tmp_audit.json (github-poc)
- dependency-scan.yaml (github-poc)
- test_ci_workflow_contracts.py (github-poc)
- test_protobuf_patch.py (github-poc)
- pipeline.py (github-poc)
- setup.py (github-poc)
- gateway_service.py (github-poc)
- hook_executor.py (github-poc)
- tool_commands.py (github-poc)
- setup.py (github-poc)
…and 1 more exploits
Timeline
- Jan 23, 2026 CVE Published
- Apr 28, 2026 CVE Updated